They have indeed and somewhat unfortunately come to Australia as well.
This is the reaction from most information security professionals down under:
http://securityreactions.tumblr.com/post/32935107872/crestWhat are the extremely fair examination fees? (GST means "tax".)
- CREST Registered Tester - $1,000 + GST (GST = ~100$)
- CREST Certified Tester (Certified Web Application Tester) - $3,000 + GST (GST = ~300$)
- CREST Certified Tester (Certified Infrastructure Tester) - $3,000 + GST (GST = ~300$)
These fees, only include the certification (and examination process), for this
non-profit company.
As they have a hand in the government, CREST may become mandatory in Australia.
SyllabusCRT - Registered Tester:
http://www.crestaustralia.org/docs/crest-australia-notes-for-candidates-crt-v1.0.pdfhttp://www.crestaustralia.org/docs/crest-australia-technical-syllabus-v1.0.pdfCCT - Certified Web Application Tester:
http://www.crestaustralia.org/docs/crest-australia-notes-for-candidates-cct-v1.0.pdfhttp://www.crestaustralia.org/docs/crest-australia-technical-syllabus-v1.0.pdfCCT - Certified Infrastructure Tester:
http://www.crestaustralia.org/docs/crest-australia-notes-for-candidates-cct-v1.0.pdfhttp://www.crestaustralia.org/docs/crest-australia-technical-syllabus-v1.0.pdfRandom
facts and opinions:
- Does it expire?
Yes, I think it's every 4 years or so. Wouldn't be much of a non-profit if all their uhm, zero profits isn't recurring.
- What's up with the price? It's not really a non-profit company when you have to pay that much for a certification.
- How's the exam, technology wise? You're tested in both current AND seriously outdated information, some of it which a penetration tester may never see or need to hear about.
- How hard is the exam? Almost impossible, at one point you have e.g. 50 practical questions where each often requires a hack of a custom application. (CCT Web App.)
- These practical questions, what are they? Some of them are related to e.g. Blind SQL Injection, where you have to pretty much dump an entire database, where tools such as sqlmap does not work, so you end up having to do it manually, which costs you too much, so you fail and will have to take a retest, which is around 1000$ more, plus GST.
- Is it realistic? Not really. People with 10 years of experience within information, where 5 may be penetration or even the whole 10 years, fail this certification. Despite that I can personally vouch for their skills. Some people come from extreme hacker backgrounds, with so much knowledge you wonder if they are even human, as they have come up with amazing hacks, unreleased research, etc, yet, these people fail too.
- What's the best way to prepare for this exam? Check out the syllabus (region wise), and study all topics in depth. You will definitely be tested in topics you most likely don't need in your job. (i.e. how certain protocols work, oh I forgot, this is more like a computer science exam at some points.)
What do I think? I think it's bs, it's certifications like these that make the infosec industry a joke, especially if it becomes mandatory. CRT and CCT, doesn't make you a penetration tester or a true hacker, it's hard yes, just like CHECK Team Leader, but it does not prove your true skill.
True skill is proven by what you have specialised in, and what you do with that skill. If you're able to think outside the box, and perform advanced hacks and understanding the entire process, then you've got the right skills.
Who's the leaders in courses and certifications?
- Offensive Security
- Corelan
- SANS & GIAC (SOME of their advanced courses, not all of them.)
- Immunity Inc
- SensePost (I have heard they're pretty good, not 100% sure about their courses but their name pops up all the time.)
- Some BlackHat courses (I know that these are different vendors offering courses here.)
- And probably a few others I forgot to mention.
Let's take a look at the syllabus.
First I wonder, why aren't these mentioned:
- Cross-Site Request Forgery (This doesn't seem to be mentioned, or is it under the XSS category? If so, major fail, it has nothing to do with XSS even though it can be used with XSS.)
- Local and Remote File Inclusion (Any web app pentester must know about these. And no they are NOT named code injection in case CREST named them that.)
- DNS Classes (INternet, CHaos, etc.)
- Advanced Cross-Site Scripting (As this certification is aimed at "experts" it seems, it should have at least a basic module about what's possible with XSS, e.g.
http://www.exploit-db.com/vbseo-from-xss-to-reverse-php-shell/ )
Now here comes my "WHY GOD WHY" section:
- Token ring (When was the last time you pentested this? I know how it works, but seriously, this isn't a computer science exam.)
- Generating ICMP packets (LOL? Yes, you can use Scapy, hping3, or for that sake "ping", all of them can generate ICMP packets for you, some of them can generate one (ping), while some can be used to generate virtually all (hping3, and Scapy). But why? Why do you need to be able to prove this?
- rusers (When was the last time you were able to execute this command? 10, 20 years ago?)
- rwho (When was the last time you were able to execute this command? 10, 20 years ago?)
- finger (When was the last time you were able to execute this command? 10, 20 years ago?)
- Berkeley r* services? (When was the last time, or how often have you seen these enabled? I have seen some once or twice over the last year or so, but were they listening on the Internet? No.)
- CRLF Attacks? (LOL, seriously? Call it header injection ffs.)
As I haven't taken the exam yet, but friends have and even right now, some colleagues are taking the certification, the picture I have had drawn out by them doesn't seem pretty.
OSCP - Offensive Security Certified Professional : Failed my first attempt at the OSCP exam
